Snort mailing list archives
Re: DNS traffic or portscan?
From: spyguy703 <spyguy703 () yahoo com>
Date: Tue, 26 Feb 2002 11:26:56 -0800
I will try that. Some individuals have told me that snort is only seeing one side of regular DNS traffic and thus is showing up as a portscan. possible? if so, what did i do wrong with snort? On Tuesday 26 February 2002 11:24 am, Glenn Forbes Fleming Larratt wrote:
It's not a sure thing, but, examining from stimulus-response perspective, it's mighty convenient that the source port numbers increment more or less sequentially - across, supposedly, two different source hosts. It's a reasonable possibility someone spoofed the addresses of win32host, snorthost, or both. Configuring Snort to log traffic to dns1.mydomain.com might help determine (a) source MAC addresses, to confirm or deny the spoofing theory, (b) contents of the DNS requests stimulating this response (DDNS? Cache poisoning? version.bind queries? etc.). -g On Tue, 26 Feb 2002, spyguy703 wrote:Can someone please help me figure out what to make of this traffic that I pulled from portscan.log? I had DNS admins checkout the DNS server and they are certain that it has not been compromised and that no one is scanning me. "dns1.mydomain.com" is our DNS server on the internet "win32host" is a windows host on the DMZ network (publicly routable IP) "snorthost" is the management interface on the snort host that monitors this network. Feb 22 13:20:20 dns1.mydomain.com:53 -> win32host:1092 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1096 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1099 UDP Feb 22 13:20:21 dns1.mydomain.com:53 -> win32host:1101 UDP Feb 22 13:20:22 dns1.mydomain.com:53 -> win32host:1103 UDP Feb 22 13:20:24 dns1.mydomain.com:53 -> win32host:1105 UDP Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1108 UDP Feb 22 14:10:47 dns1.mydomain.com:53 -> snorthost:1109 UDP Feb 22 14:10:48 dns1.mydomain.com:53 -> snorthost:1110 UDP Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1111 UDP Feb 22 14:10:49 dns1.mydomain.com:53 -> snorthost:1112 UDP Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1113 UDP Feb 22 14:10:53 dns1.mydomain.com:53 -> snorthost:1114 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1122 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1123 UDP Feb 22 14:47:08 dns1.mydomain.com:53 -> snorthost:1124 UDP Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1125 UDP Feb 22 14:47:10 dns1.mydomain.com:53 -> snorthost:1126 UDP Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1127 UDP Feb 22 14:47:14 dns1.mydomain.com:53 -> snorthost:1128 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1132 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1133 UDP Feb 22 17:38:45 dns1.mydomain.com:53 -> snorthost:1134 UDP Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1135 UDP Feb 22 17:38:47 dns1.mydomain.com:53 -> snorthost:1136 UDP Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1137 UDP Feb 22 17:38:53 dns1.mydomain.com:53 -> snorthost:1138 UDPGlenn Forbes Fleming Larratt Rice University Network Management glratt () rice edu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- Re: DNS traffic or portscan? spyguy703 (Feb 26)
- <Possible follow-ups>
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
- Re: DNS traffic or portscan? spyguy703 (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)
- RE: DNS traffic or portscan? McCammon, Keith (Feb 26)
- Re: DNS traffic or portscan? Glenn Forbes Fleming Larratt (Feb 26)